TINC - Initial setup
-
I have two pfSense routers setup, both with public IPs on the WAN.
Router A has 192.168.117.0/24 on the LAN
Router B has 10.26.0.0/16 on the LAN
The TINC daemons on each router are connecting to each other and their respective networks are listed under the TINC status page on each.
Subnet list: 192.168.117.0/24#10 owner 117puritandr 10.26.0.0/16#10 owner 476summitst End of subnet list.
However, the routeing table on each router does not reflect this information and only has a single route added for the tun interface.
For example, RouterB has a route for 10.0.0.0/8 with the TUN interface.
I know this is somehow related to the Netmask option within the TINC config.With all the above, I am unable to ping between networks.
It seems like I don't have the appropriate routes in my tables, but I'm not sure why.
What am I doing wrong?
-
It might be because of the VPN netmask. I don't know how you can connect those two subnets together, I only connect 192.168 networks with a VPN netmask of 255.255.0.0 . I've never tried using a netmask of 0.0.0.0 perhaps you can try that?
-
Yeah, I'll have to try that locally as it may break the Internet connection if it overrides the default gateway.
Does anyone know if this is the only routing method that TINC supports?
Seems rather crude to me, but maybe I'm missing something.
If it knows about the other subnets, why can't it just add those to the routing table instead of a single "netmask" route? -
I added the 192.168.26.0/24 subnet to Router B and was able to ping across it to the 192.168.117.0/24 subnet on my other router, so now I know that TINC itself is working.
So three questions...
1 - Can the routing be setup differently to allow 10.0.0.0/8 networks and 192.168.0.0/16 networks to be connected together?
2 - How would Multi-WAN factor in? Could the TINC daemon establish connections over either WAN?
3 - Should I forget all this, and stick with multiple OpenVPN tunnels and OSPF?
-
re: point (3) I just swapped from using OpenVPN and OSPF in the FRR package because I kept getting asymmetric routes. E.g. From node 1 to 3 via node2 , but coming back node 3 to 1 via node 4. I also had problems with OpenVPN connections stopping, but I think that was mainly to do with the fact that some of the nodes are in countries that don't like VPNs.
The tinc is much easier in this regard. I have about 15 nodes. I'm currently changing all my 10.x.x.x subnets into 192.168.x.x ones, but if you find a solution to point (1) that'd be cool. Maybe there's a way to use outbound NAT to change the subnet? Aliases? Just a thought.
Native tinc also supports multiple VPNs, but that's not available in the pfSense package, maybe that's a solution if the package was upgraded to allow multiple daemons. -
What effect did the asymmetric routes have on your network?
-
Well, UDP and ICMP connections worked just fine because they are stateless. But TCP connections didn't work, because they are stateful and the pfSense didn't like replies coming from a different place from where they were sent. There's some stuff about sloppy states, but I couldn't make it work.
https://www.netgate.com/docs/pfsense/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html
I was going to try setting the route weights manually to try to force symmetrical routes, but I went for tinc instead. The tinc thing makes all that a lot less trouble. -
I've made some progress with tinc and my subnets.
I sent a message to the tinc mailing list...
https://www.tinc-vpn.org/pipermail/tinc/2018-August/005284.html
and got the following response...
https://www.tinc-vpn.org/pipermail/tinc/2018-August/005285.html
which led me to...
https://www.tinc-vpn.org/pipermail/tinc/2018-August/005287.html
In summary, by adding this line...
route add "$SUBNET" -iface "$INTERFACE"
to the Subnet Up Script section under the Advanced options of tinc, my routing table was updated with routes for my remote networks.
-
Very interesting, thanks for posting.
-
Do you happen to know if the tinc package is compatible with a multi-wan setup?